Analysis Authorization failed for Multiprovider

Similar Messages

• ISE Alarm (WARNING): Dynamic Authorization Failed for Device

  Hi all,
  I am posting this discussion as previous posts that I have found in this forum have never been resolved or the resolution is not applicable to me.
  I am using ISE 1.1.1.268 and WLC 7.2.111.3 and NAC agent version 4.9.1.6 on Windows 7 Client machines.
  About once a day i get the error "ISE Alarm (WARNING): Dynamic Authorization Failed for Device".
  The device it is reffering to is my NAD, a WLC 5508 running 7.2.111.3
  I have looked at the logs and I cannot see anything in the logs which correcponds to this message so that I can troubleshoot further. Maybe I can if I am enabling the correct logging level on the correct ISE component.
  Can someone suggest the components and the logging level that I should set to get some more detail about this error?
  At the moment, I have only set debug logging on Active Directory. I have TRACE logging set on Posture, Runtime AAA & prrt-JNI.
  I do not want to enable too much debug logs, so I was wondering whether anyone can help with a specific element that I should be debugging.
  I thought debugging the posture element would be enough but when I look at the logs there is nothing there that relates to this message.
  Can anyone help?
  thanks
  Mario

  Firstly, I wouldn't run a production deployment of ISE on 1.1.1.... 1.1.3 Patch 1 or 1.1.4 is the way to go.
  Secondly, this error happen a lot, especially with Wireless, and it's not worth worrying about.  I've had a couple of TAC cases opened for this and some similar errors, generally they're caused by a Client going to sleep, leaving the coverage area or otherwise leaving the WLC while ISE is trying to do something with it.
  Only worry if you actually have a Client-impacting problem, which by the sounds of it, you don't.

• No Authorization check for MultiProvide (S_RS_MPRO)

  Hello Every body
  We have a problem regarding the authorization check for MultiProviders. We have assigned the auth. object S_RS_MPRO to a user for one specific MultiProvider. We have also turned on the settings for "MultiProvider" and "MultiPro. (Query) in IMG.
  Unfortunately the user has access to all the MultiProviders. We have traced the user and have found out, that there is no authorization check for the MultiProviders.
  We have tried to remove the settings mentioned above and use “InfoCube (Query)” setting instead in conjunction with S_RS_ICUBE. No luck here neither.
  One thing that could be important to mention is that the Settings for "MultiProvider" and "MultiPro. (Query) in IMG has been implemented before the object has been assigned to a user.
  For that We removed the settings from all Roles, and then we assigned the object to a user, and at last we activated the settings for "MultiProvider" and "MultiPro. (Query) in IMG. No luck here neither.
  Bottom line is that the system does not check for S_RS_MPRO
  Any kind of suggestion would be appreciated
  /FZA
  SAP_BW 350
  SP 12
  BI_CONT 353
  PI_BASIS 2004_1_640

  0.820 BW-BEX-OT-OLAP-AUT 619778 No check of S_RS_ICUBE for Multiprovider 16.10.2003
  2. 0.800 BW-WHM-DST-AUT 626385 Multiprovider: Authorization in query fails 07.10.2003
  3. 0.790 BW-BEX-OT-OLAP-AUT 662617 Activity is 'Change', but only 'Display' is checked 07.01.2004
  4. 0.760 BW-WHM-DST-AUT 626574 MultiProvider authorization check during query 17.10.2003
  5. 0.760 BW-WHM-DBA-MPRO 520588 New authorization object S_RS_MPRO 05.11.2003
  6. 0.750 BW-WHM-DST-AUT 736996 Authorization check performed on S_RS_MPRO 28.06.2004
  7. 0.700 BW 693363 SAPBWNews BW SP03 NW'04 Stack 03 RIN 22.04.2005
  8. 0.690 BW 692636 SAPBWNews BW SP02 NW'04 Stack 02 RIN
  hallo
  Please have allok at the mentioned OSS note
  Mike

• BI analysis authorization- checking for not equal to values

  hello,
  the info provider (ZIC_COPA) is having auth. relevant char. are 0COMP_CODE, PLANT, 0SALESORG.
  When i am executing query which is built on ZIC_COPA info provider. It is checking all above charcteristics value. But in RSECADMIN i found that system is checking for not equal to values. For ex. please see below RSECADMIN trace. It is checking not equal to values for PLANT. does anybody know why it is checking NOT PLANT IN values??
  0COMP_CODE
  0PLANT
  0SALESORG
  SQL Format:
  COMP_CODE IN ('1000',,'3200')
  AND NOT PLANT IN ('1000','3200')
  AND SALES
  ORG IN ('1000',','3200',')
  AND TCAACTVT = '03' 
  Note: There is no hardocoding or exclusion values in the query.
  Regards
  Imran
  Edited by: Imran  Mulani on Jun 21, 2009 1:13 PM

  ok

• Analysis Authorization in BO 4.0 Webi report

  Hi All,
  I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
  We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
  However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
  I have tried:
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
  Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
  (BO 4.0 no service pack or fix pack installed on the system yet)
  Thanks - Appreciate your help !
  Prasad Rasam

  Ingo,
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  >> Correct you need to setup you OLAP Connection with SSO.
  >>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
  Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
  Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  >> The variable in the BEx query needs to be an authorization variable.
  >>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
  Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
  regards
  Ingo Hilgefort

• Analysis Authorization with SEM-BPS

  Hi,
  We have performed technical upgrade from BW 3.5 to BI 7.0. We want to migrate to BI 7.0 functionality phase wise.
  We have SEM-BPS and now we want to migrate to Analysis Authorization of BI 7.0.
  Once we have igrated to Analysis Authorization, will there be any impact on SEM-BPS? Can we still use SEM-BPS with New Analysis Authorizations? We do not want to move to BI-IP in near future?.
  Please advise.
  Best Regards,
  UR

  Dear UR,
  Iu2019m going to try helping you,
  In difference of reporting functionality, in planning, the data of an InfoCube is not just read; it is also changed or created.
  There are two planning tools in BI: BW-BPS (Business Planning and Simulation), and BI Integrated Planning.
  There are two main tcode: BPS0 and RSPLAN
  There are three authorization objects to manage Integrated Planning:
  S_RS_PL_ADMIN - Planning Administrator
  S_RS_PL_PLANNER u2013 Planner
  S_RS_PL_PLANMOD_D u2013 Planning Modeler (Development System)
  The main object in the planning scenario is InfoCube real-time, where can available writing in small package that arrive in parallel. In some cases the security requirements for reporting and planning can be merging. In this case you need authorization object for checking planning, as authorization object above, and you need authorization object for using a query for planning requires as S_RS_COMP.
  In addition to authorization for displaying data, the authorizations for changing data you need analysis authorization (the analysis authorization focus in the InfoProvider, no in Aggregation Level).
  In your analysis authorization design for reporting stuff, you should use in 0TCAACTVT characteristic 03 value. In the planning stuff, you should use in 0TCAACTVT characteristic 03 and 02 values. As explain following:
  Using the characteristics 0TCAACTVT (activity), you can restrict the authorization to different activities. Read (03) is set as the default activity; you must also assign the activity Change (02) for integrated planning.
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/b1/0c9441b8972e7be10000000a1550b0/frameset.htm
  I hope this suggestion can help you answer question,
  Luis

• 'No authorization' error for selection values outside the authorized range

  Hi All,
  We are currently trying to use the authorization analysis concept for 'Cost center reporting'.
  We have made 0COSTCENTER info-object as authorization relevant and have created a analysis authorization object for it through RSECADMIN and we have maintained a single value as '1875' . We have assigned this object to 1 of the test users.
  So now if the user runs the report for cost center '1875' , he is able to view the data/report. Now if he enters any other cost center apart from '1875' than he gets an authorization error (Everything works as per requirement till this point).
  But now if the user enters multiple cost centers like 1875, 1876, 1877 as multiple single values and runs the report, he gets an 'No authorization error'.
  So all the experts, please let me know if it's possible in anyway for the user to see the result/report for the value he is authorized to (in this case - 1875) and should give an information/warning/error message saying that he is not authorized to other cost center (in this case - 1876, 1877).
  Same thing is occuring if user enters a range. Suppose a user is authorized for cost center - 1875 to 1880. Now if he puts multiple single values or range in between the authorized range than he can see the result but if he enters even 1 single value outside the range he gets an error - what I mean by this is - if the user enter a range from 1875 to 1801, he does not get any data display but instead he recieves an error message saying 'No authorization' even though he is authorized for all the cost centers in that range except 1801.
  I would really appreciate your help regarding this. Any comments/suggestions are very welcome.
  Thanks & regards,
  Sunny

  Hi Sunny
  That is the way analysis authorizations work!!
  If you ask for a number of values i.e. cost centers and you don't have authorization to *all* of them you will get a system error as you say.
  There is no way of partially evaluating the query as you suggest (only for the authorized values).
  Try to be less restrictive when defining characteristic values in RSECADMIN.
  In queries use variables with
  Processing by Authorization and Input Ready.
  So the system will tell the user which are the allowed values. In your example the system suggests the range 1875-1880.
  Hope this helps, regards
  Germá

• ISE: Dynamic Authorization Failed

  Hi,
  I am gettning warning messages in ISE saying
  Cause:
  Dynamic Authorization Failed for Device: 0002SWC003 (switch)
  Details:
  Dynamic Authorization Failed
  It is not only on that switch but on all switches I have configured. I am using 3560 IPBase 12.2(55)SE6. I have configured them according to Trustsec 2.1.
  My end devices are none-802.1x.
  I can't figure out what is causing this error.
  The thing is that I have not experienced any problem. In Live Authentications there are some 'Unknown' and 'Profiled' devices hitting the DenyAccess rule, but other then that everying is beeing Authorized fine.
  Anyone got an idea what could be causing this error?
  Regards,
  Philip

  This is what I have found out.. Using ISE Version 1.1.1.268. If you go the logs page
  Jan 10,13 7:39:12.147 AM
  Dynamic Authorization failed
  and then go to the details...
  Failure Reason > Authentication Failure Code Lookup
  Failure Reason :
  11213 No response received from Network Access Device
  Generated on:January 10, 2013 8:08:17 AM PST
  Description
  No response received from Network Access Device.
  Resolution Steps
  Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.
  ...next check into Resolution Steps...

• Different Analysis Authorization on same infoprovider

  Hi All,
  I want to setup authorization for the below scenario. I have tried different options but not able to achieve it. Request your inputs.
  Query 1: Z_REPORT1_NOCUST (Only Aggregate authorization-no customer wise drill down)
  Query 2: Z_REPORT2_CUST (Customer wise drill down possible)
  Above both query is from Same info provider. Hence i have tried creating 2 analysis authorization one is for Aggregate authorization for customer I/O and another is for Full authorization on customer. And created 2 different PFCG roles one for each analysis authorization created and assigned both role to a user.
  But when the report is executed both the query was able to drill down with customer. Itseems analysis authorization created for aggregate quthorizaiton is not working and full authoization is over rulling.
  How to resolve this, need your valuable inputs.
  Thanks in advance
  Prem

  You cannot give both roles to the same user that give authorization to the same info provider. This is your problem.
  The security system assembles the user's rights from all of his roles. If two roles provide rights to infoprovider "A", and one gives ":" (Aggregate) rights to 0CUSTOMER, and the other gives "" (All) rights to 0CUSTOMER, then the rights used for the query will be the "" (all) rights for 0CUSTOMER, and the Aggregate rights will be ignored.
  If you truly wish to have two separate reports, one that reports 0CUSTOMER at an aggregate level only (for example, by customer group), and the other by 0CUSTOMER drilldown, then simply remove 0CUSTOMER from the aggregate query.

• Analysis Authorization : Selection screen not appearing for query

  Hi,
  I am facing an issue with analysis authorization. I have created the new roles and assigned to the users. For one user when I am executing the query, the selection screen is not coming up and it shows error message to specify the variables. Whereas its running for all other users.
  In S_RS_COMP I have selected Type of a reporting component as Query View, Query & Template structure. I also tried adding Variable in this field but that also did not help.
  Please let me know if you have faced similar issue.
  Regards,
  Manish

  Hi,
  Go to your query desinger opend your query and select your variable in that you have see first "Ready Input Query" Check box is selected or not. It's not selected you can select that check box.
  Your problem will be sloved.
  Thanks & Regards,
  venkat.

• Analysis Authorization for nav Attr Issue

  Hello:
  I have a 0COMP_CODE as an attribute of 0SALSORG and it is marked as authorization relevant. i.e 0SALESORG_0COMP_CODE is authorization relevant.
  I created an analysis authorization Object ZCOMPCODE_1000 by adding following in it.
  InfoObject           Value
  0COMP_CODE  = 1000
  0SALESORG = *
  0SALESORG_0COMP_CODE = 1000
  0TCAACTVT = *
  0TCAIPROV - *
  0TCAKYFNM = *
  0TCAVALID = *
  Now I have a report on a cube which has 0SALESORG as char and also 0SALESORG as a variable on selection.
  When I run a query for sales org = 1000, I can see rsults as sales org 1000 is assigned to company code 1000.
  If I run report for sales org 2000, I should get not authorized message as 2000 is not assigned to company code 1000 and I only have a role assigned to me which has analysis authorization object ZCOMPCODE_1000. But Still I am getting report results.
  Please explain Why and How can I overcome this issue.
  Thanks

  First of all it is strange that we see two appearances of sales org.
  0SALESORG = *
  0SALESORG_0COMP_CODE = 1000
  Probably the star value overrides the setting in the second one.
  Besides did you create the variable in the query as authorization relevant or you will have problems there.

• Problem wih analysis authorization for two scenarios on same data provider

  Dear all,
  I am looking for a solution on the following authorization scenario (using the new analysis authorization). Unfortunately everything that I tried did not work out as expected:
  User A is allowed to manually access query 1 (based on cube A) with authorization on all sites A-Z
  The same user A shall get an email distribution automatically (derivation of the filter in the query out of the authorization) for query 2, which is as well based on cube A, but this time the authorization shall be limited only to site A.
  As both queries are based on the same infoobject (0PLANT) and the same infoprovider (0TCAIPROV) I always get the result for all sites A-Z. The 0TCAACTVT is in both cases 03 (display), so I have no chance to distinguish between reporting and email distribution.
  Probably the only chance would be to derive the values for the email distribution scenario not from the authorization directly, but using a customer exit to fill the filter - but I would prefer a "standard" solution...
  Any ideas??
  Thanks,
  Andreas

  Dear Andreas,
  Before give you an alternative for you problem, Iu2019d like to comment the combining authorization concept:
  http://help.sap.com/saphelp_nw70/helpdata/EN/46/98cd87f37d19ace10000000a11466f/frameset.htm
  For this reason I suggest you which combing restriction through authorization and query filter. For query 2 try to use in 0PLANT characteristic the single value u201Csite Au201D, this restriction give you only authorization for see this value.
  Otherwise, you have to use customer exit.
  I hope that alternative help you to find a solution,
  Luis

• Table for Analysis authorization along with values for authorization fields

  Hi,
  I am looking for table that contains the Analysis Authorization name along with values for all the authorization fields within this Analysis Authorization. Individually i can go to PFCG or Rsecadmin but since i need all the Analysis auth objects, i need to get this info into excel, so need a table.

  Hi Prashanth
    You can check RSECVAL that is appropriate for your requirement please let us know if any further help is needed.
  Thanks & Regards
  Santosh Varada

• Error when Executing the Report - No Authorization for Multiprovider

  Hello Experts,
  After the upgrade has carried out in my Quality system, I'm unable to execute a query because of the authorization issue with Multiprovider. But earlier the same Authorization was assigned to the my ID.
  The Role in Q and the Role in P is same. Right now P is with 3.1 and Q is with BI7.
  In both the system I have the same Role. But in Q it says that: Error You have no Authorization for Multiprovider XXXX
  This is happening for only one Multiprovider in Quality system. There is no change in the Multiprovider from earlier structure to the present structure.
  Can anyone give me any idea as to how to solve this issue?
  Many thanks in Advance..
  Thanks
  Raman.. This is Emergency for me..

  Ok,
  Pick up a test user (or your user) and go to transaction su01.
  Check the roles that are assigned.
  Double-click in each one and choose display. Go to tab authorizations and click on the glasses icon of displaying authorizations data. Then go to menu->Utilities->Technical names On.
  You should see the tree with the node name Business Information Warehouse (technical name RS), if you don't see this in this role, than the issue it's not in this role, go back to su01 and check another role the same process until you find this node.
  If you expand this node you'll see another nodes, one of them is called Data Warehousing Workbench - InfoCube (technical name S_RS_ICUBE). And you probably can't find another node called Data Warehousing Workbench - MultiProvider (technical name S_RS_MPRO), this is the new node you want.
  In the node S_RS_ICUBE expand it and you'll see the authorizations given to InfoCubes with activity, InfoArea and InfoCube. In the older system BW 3.x this object was used to give access to InfoCubes, but also to MultiCubes. So you have to find the role that has this object with InfoCube with the value of MultiCube or with all values, for example, you could have this node in your role with the following values:
  Activity                       03                 
  InfoCube Subobject     DATA               
  InfoArea                     ZFI*               
  InfoCube                    ZFIAA_C11, ZFIAA_C13, ZFIAA_M02
  or with:
  Activity                       03                 
  InfoCube Subobject     DATA               
  InfoArea                     ZFI*               
  InfoCube                    *
  or with:
  Activity                       03                 
  InfoCube Subobject     DATA               
  InfoArea                     ZFI*               
  InfoCube                    ZFI*
  Something like that. The first example give access to specific InfoCubes and one MultiCube, the second one you'll have all the InfoCubes and MultiCubes inside the InfoArea started  with name ZFI and the third one you'll have all InfoCubes and all MultiCubes started with name ZFI that belongs to the InfoArea started with name ZFI also.
  Got the picture?
  So in BI 7 MultiCubes are now controlled by the new object S_RS_MPRO instead of the older object S_RS_ICUBE. What you should do is go to transaction pfcg and insert the role you want to include (or change these new values, i.e., the role that has the access to the MultiCube values inside the object S_RS_ICUBE which the query is built on) the new object S_RS_MPRO and click on change. Go to tab authorizations and click on change authorization data. Then click on manually (ctrlshiftF9) and insert the object S_RS_MPRO. Inside this new object you should insert the authorization data for accessing your multiproviders.
  In the 3 examples above you should create these 3 entries:
  Activity                          03                 
  InfoArea                         ZFI*
  MultiProvider                  ZFIAA_M02
  MultiProvider Subobject  DATA                              
  or with:
  Activity                          03                 
  InfoArea                        ZFI*               
  MultiProvider                  *
  MultiProvider Subobject  DATA                              
  or with:
  Activity                         03                 
  InfoArea                        ZFI*               
  MultiProvider                 ZFI*
  MultiProvider Subobject  DATA                              
  Therefore you continue to have the object S_RS_ICUBE to control only the InfoProviders plus the new object S_RS_MPRO to control the MultiProviders.
  Now generate the profile(s), save the role(s) and test it again!
  Diogo.

• Failed to activate authorization check for user SAPSYS

  Hi Experts
  I am trying to run the sdcc, it was throwing time_out error. i have increased the work process runtime. now
  i am getting a error Failed to activate authorization check for user SAPSYS.
  Please help me to solve this issue.
  Regards
  Venkat

  Hi, Mr. Joe Bo.
  Thanx for your reply. We are using ECC6 (HP Unix with Oracle)
  Basis Patch - 15, Kernel 159
  I have seen the the note but it's showing ccms method defination settings, but for my case we are yet to go live we have not made any settings from sap they are planning to run a session for the go live. When i am running sdcc i am getting a error in the system log "Failed to activate authorization check for user SAPSYS"
  Thanks & Regards
  Venkatesan J